Sort of OT: configuring UFW

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Sort of OT: configuring UFW

King, Fred
My apologies for posting a question that's not exactly Koha-related, though could be. I'm hoping that someone here can explain in a way that a simple medical librarian and part-time Koha geek can understand, or point me to a source that can. Yes, I checked the man page.

What I want to do us use UFW (Uncomplicated Firewall) on Ubuntu to allow access to only permitted IP addresses. I can add one IP address without a problem:
   sudo ufw allow from 192.168.1.115 to any port 80

I think I know how to add a range consisting of anything beginning with 192.168.1.*:
   sudo ufw allow from 192.168.1.0/24 to any port 80
(Please correct me if I'm wrong.)

What I need to do is allow access from the range
   192.168.*.*
or something like this
   192.168.22-65.*
or 192.138.187-189.*

Any ideas or sources of information?

Thanks,

--Fred

Fred King, MSLS, AHIP
Medical Librarian, MedStar Washington Hospital Center
[hidden email]<mailto:[hidden email]>
202-877-6670
ORCID 0000-0001-5266-0279
MedStar Authors Catalog: http://medstarauthors.org

I was singing the blues when I was six. Kind of sad, eh?
--Harry Dean Staunton

----------------------------------------------------------------------
MedStar Health is a not-for-profit, integrated healthcare delivery system, the largest in Maryland and the Washington, D.C., region. Nationally recognized for clinical quality in heart, orthopaedics, cancer and GI.

IMPORTANT: This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail, so that our records can be corrected... Thank you.

Help conserve valuable resources - only print this email if necessary.


_______________________________________________

Koha mailing list  http://koha-community.org
[hidden email]
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Sort of OT: configuring UFW

Hugo Agud Andreu
Perfecto! Te compraré dos mandos, dame cuenta de transferencia por favor

Obtener Outlook para iOS<https://aka.ms/o0ukef>
________________________________
De: Koha <[hidden email]> en nombre de King, Fred <[hidden email]>
Enviado: Thursday, May 28, 2020 7:08:09 PM
Para: Koha <[hidden email]>
Asunto: [Koha] Sort of OT: configuring UFW

My apologies for posting a question that's not exactly Koha-related, though could be. I'm hoping that someone here can explain in a way that a simple medical librarian and part-time Koha geek can understand, or point me to a source that can. Yes, I checked the man page.

What I want to do us use UFW (Uncomplicated Firewall) on Ubuntu to allow access to only permitted IP addresses. I can add one IP address without a problem:
   sudo ufw allow from 192.168.1.115 to any port 80

I think I know how to add a range consisting of anything beginning with 192.168.1.*:
   sudo ufw allow from 192.168.1.0/24 to any port 80
(Please correct me if I'm wrong.)

What I need to do is allow access from the range
   192.168.*.*
or something like this
   192.168.22-65.*
or 192.138.187-189.*

Any ideas or sources of information?

Thanks,

--Fred

Fred King, MSLS, AHIP
Medical Librarian, MedStar Washington Hospital Center
[hidden email]<mailto:[hidden email]>
202-877-6670
ORCID 0000-0001-5266-0279
MedStar Authors Catalog: http://medstarauthors.org

I was singing the blues when I was six. Kind of sad, eh?
--Harry Dean Staunton

----------------------------------------------------------------------
MedStar Health is a not-for-profit, integrated healthcare delivery system, the largest in Maryland and the Washington, D.C., region. Nationally recognized for clinical quality in heart, orthopaedics, cancer and GI.

IMPORTANT: This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail, so that our records can be corrected... Thank you.

Help conserve valuable resources - only print this email if necessary.


_______________________________________________

Koha mailing list  http://koha-community.org
[hidden email]
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________

Koha mailing list  http://koha-community.org
[hidden email]
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Sort of OT: configuring UFW

asakovich@hmcpl.org
In reply to this post by King, Fred
One of the easiest IP network calculators to use on the web that I’ve found is at

  http://www.subnet-calculator.com/subnet.php?net_class=B

Put in an IP address, select the right range, and play with the number of bits of masks to see what the resulting groups are that you can get. This form is JS powered, so there’s no submitting and reloading pages to recalculate — it happens as soon as you change a field value.

With masks, you’ve got to remember that the ranges you’re working with are based in binary, so multiples of 1, 2, 4, 8, 16, etc are going to work a whole lot easier than 1, 10, or 100 decimal.

For example, you first query:

192.168.x.x

is easily handled by

192.168.0.0/16.

However, things get complex when you start thinking in terms of decimal and try to map that to binary. So while it’s easy for humans to grok your next request:

192.168.22-65.*

Thinking in terms of binary, 22 = 16+4+2. Yuck.

192.168.22.0/23 = 191.168.22.1 - 191.168.23.254
192.168.24.0/21 = 191.168.24.1 - 191.168.31.254
192.168.32.0/19 = 191.168.32.1 - 191.168.63.254
192.168.64.0/23 = 191.168.64.1 - 191.168.65.254

Yes, you need all 4 of those masks to fill up the whole range. Using the aforementioned calculator, I started off with your base address (192.168.22.0) and kept shrinking the number of bits in the mask until the resulting range fell outside of your desired results (from 24 down to 23 — once I switched to 22 bits, the 192.168.22 subnet dropped to a 192.168.16 range — too far!) Go ahead and try it — put 192.168.22.0 in the IP Address field, and start reducing the number of Mask Bits from 24, to 23, and then 22, keeping an eye on the Host Address Range results.

Next, take the next range up (we ended the first range with 192.168.23, so start at 192.168.24.0) and keep shrinking the mask to increase the range of available hosts until you again go one bit too far and the resulting range falls outside your desired results.

Lather, rinse, repeat, until you have all your subnets.

Hope this makes sense!
Aaron
--
Aaron Sakovich
Internet and Technology Services Manager

Huntsville-Madison County Public Library
915 Monroe Street | Huntsville, Alabama 35801 | https://hmcpl.org/




> On May 28, 2020, at 12:08, King, Fred <[hidden email]> wrote:
>
> My apologies for posting a question that's not exactly Koha-related, though could be. I'm hoping that someone here can explain in a way that a simple medical librarian and part-time Koha geek can understand, or point me to a source that can. Yes, I checked the man page.
>
> What I want to do us use UFW (Uncomplicated Firewall) on Ubuntu to allow access to only permitted IP addresses. I can add one IP address without a problem:
>   sudo ufw allow from 192.168.1.115 to any port 80
>
> I think I know how to add a range consisting of anything beginning with 192.168.1.*:
>   sudo ufw allow from 192.168.1.0/24 to any port 80
> (Please correct me if I'm wrong.)
>
> What I need to do is allow access from the range
>   192.168.*.*
> or something like this
>   192.168.22-65.*
> or 192.138.187-189.*
>
> Any ideas or sources of information?
>
> Thanks,
>
> --Fred
>
> Fred King, MSLS, AHIP
> Medical Librarian, MedStar Washington Hospital Center
> [hidden email]<mailto:[hidden email]>
> 202-877-6670
> ORCID 0000-0001-5266-0279
> MedStar Authors Catalog: http://medstarauthors.org
>
> I was singing the blues when I was six. Kind of sad, eh?
> --Harry Dean Staunton
>
> ----------------------------------------------------------------------
> MedStar Health is a not-for-profit, integrated healthcare delivery system, the largest in Maryland and the Washington, D.C., region. Nationally recognized for clinical quality in heart, orthopaedics, cancer and GI.
>
> IMPORTANT: This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail, so that our records can be corrected... Thank you.
>
> Help conserve valuable resources - only print this email if necessary.
>
>
> _______________________________________________
>
> Koha mailing list  http://koha-community.org
> [hidden email]
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha

_______________________________________________

Koha mailing list  http://koha-community.org
[hidden email]
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Sort of OT: configuring UFW

King, Fred
Thank you! It almost does. Now I need to think about it for a bit. Or maybe for an octet. 😊

Fred King, MSLS, AHIP
Medical Librarian, MedStar Washington Hospital Center
[hidden email]<mailto:[hidden email]>
202-877-6670
ORCID 0000-0001-5266-0279
MedStar Authors Catalog: http://medstarauthors.org

I was singing the blues when I was six. Kind of sad, eh?
--Harry Dean Staunton

From: [hidden email] <[hidden email]>
Sent: Thursday, May 28, 2020 1:45 PM
To: King, Fred <[hidden email]>
Cc: Koha <[hidden email]>
Subject: [EXTERNAL] Re: [Koha] Sort of OT: configuring UFW

** ATTENTION: This email originated from outside the MedStar network.
** DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
One of the easiest IP network calculators to use on the web that I’ve found is at

  http://www.subnet-calculator.com/subnet.php?net_class=B<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.subnet-2Dcalculator.com_subnet.php-3Fnet-5Fclass-3DB&d=DwMFaQ&c=RvBXVp2Kc-itN3g6r3sN0QK_zL4whPpndVxj8-bJ04M&r=vKh6XwOmjyC51IkP1OfsdjQZoWT2vpi6VZl8El8EPRI&m=SedjTjhSL5u6Lty5N79OwD0gVFpS6ppqwP7WxBNpWsk&s=iN8Y55IswKkQJrbzfzvaBqF_QQ4s51JZGzdopNzutAM&e=>

Put in an IP address, select the right range, and play with the number of bits of masks to see what the resulting groups are that you can get. This form is JS powered, so there’s no submitting and reloading pages to recalculate — it happens as soon as you change a field value.

With masks, you’ve got to remember that the ranges you’re working with are based in binary, so multiples of 1, 2, 4, 8, 16, etc are going to work a whole lot easier than 1, 10, or 100 decimal.

For example, you first query:

192.168.x.x

is easily handled by

192.168.0.0/16.

However, things get complex when you start thinking in terms of decimal and try to map that to binary. So while it’s easy for humans to grok your next request:

192.168.22-65.*

Thinking in terms of binary, 22 = 16+4+2. Yuck.

192.168.22.0/23 = 191.168.22.1 - 191.168.23.254
192.168.24.0/21 = 191.168.24.1 - 191.168.31.254
192.168.32.0/19 = 191.168.32.1 - 191.168.63.254
192.168.64.0/23 = 191.168.64.1 - 191.168.65.254

Yes, you need all 4 of those masks to fill up the whole range. Using the aforementioned calculator, I started off with your base address (192.168.22.0) and kept shrinking the number of bits in the mask until the resulting range fell outside of your desired results (from 24 down to 23 — once I switched to 22 bits, the 192.168.22 subnet dropped to a 192.168.16 range — too far!) Go ahead and try it — put 192.168.22.0 in the IP Address field, and start reducing the number of Mask Bits from 24, to 23, and then 22, keeping an eye on the Host Address Range results.

Next, take the next range up (we ended the first range with 192.168.23, so start at 192.168.24.0) and keep shrinking the mask to increase the range of available hosts until you again go one bit too far and the resulting range falls outside your desired results.

Lather, rinse, repeat, until you have all your subnets.

Hope this makes sense!
Aaron
--
Aaron Sakovich
Internet and Technology Services Manager

Huntsville-Madison County Public Library
915 Monroe Street | Huntsville, Alabama 35801 | https://hmcpl.org/<https://urldefense.proofpoint.com/v2/url?u=https-3A__hmcpl.org_&d=DwMFaQ&c=RvBXVp2Kc-itN3g6r3sN0QK_zL4whPpndVxj8-bJ04M&r=vKh6XwOmjyC51IkP1OfsdjQZoWT2vpi6VZl8El8EPRI&m=SedjTjhSL5u6Lty5N79OwD0gVFpS6ppqwP7WxBNpWsk&s=Ku0W0_cGknrb4EXJyMzE7SVCh_-M1Df8jgyQ2h_u1Sw&e=>




On May 28, 2020, at 12:08, King, Fred <[hidden email]<mailto:[hidden email]>> wrote:

My apologies for posting a question that's not exactly Koha-related, though could be. I'm hoping that someone here can explain in a way that a simple medical librarian and part-time Koha geek can understand, or point me to a source that can. Yes, I checked the man page.

What I want to do us use UFW (Uncomplicated Firewall) on Ubuntu to allow access to only permitted IP addresses. I can add one IP address without a problem:
  sudo ufw allow from 192.168.1.115 to any port 80

I think I know how to add a range consisting of anything beginning with 192.168.1.*:
  sudo ufw allow from 192.168.1.0/24 to any port 80
(Please correct me if I'm wrong.)

What I need to do is allow access from the range
  192.168.*.*
or something like this
  192.168.22-65.*
or 192.138.187-189.*

Any ideas or sources of information?

Thanks,

--Fred

Fred King, MSLS, AHIP
Medical Librarian, MedStar Washington Hospital Center
[hidden email]<mailto:[hidden email]><mailto:[hidden email]>
202-877-6670
ORCID 0000-0001-5266-0279
MedStar Authors Catalog: http://medstarauthors.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__medstarauthors.org&d=DwMFaQ&c=RvBXVp2Kc-itN3g6r3sN0QK_zL4whPpndVxj8-bJ04M&r=vKh6XwOmjyC51IkP1OfsdjQZoWT2vpi6VZl8El8EPRI&m=SedjTjhSL5u6Lty5N79OwD0gVFpS6ppqwP7WxBNpWsk&s=w2C-iXySXDo0IDFkJEO3GJvfyMoDcTuidzTpCLzlwuM&e=>

I was singing the blues when I was six. Kind of sad, eh?
--Harry Dean Staunton

----------------------------------------------------------------------
MedStar Health is a not-for-profit, integrated healthcare delivery system, the largest in Maryland and the Washington, D.C., region. Nationally recognized for clinical quality in heart, orthopaedics, cancer and GI.

IMPORTANT: This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail, so that our records can be corrected... Thank you.

Help conserve valuable resources - only print this email if necessary.


_______________________________________________

Koha mailing list  http://koha-community.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__koha-2Dcommunity.org&d=DwMFaQ&c=RvBXVp2Kc-itN3g6r3sN0QK_zL4whPpndVxj8-bJ04M&r=vKh6XwOmjyC51IkP1OfsdjQZoWT2vpi6VZl8El8EPRI&m=SedjTjhSL5u6Lty5N79OwD0gVFpS6ppqwP7WxBNpWsk&s=vi6uZStv4YLORuIkJIdC77c8mVrsmyzgPs2NUYn40xU&e=>
[hidden email]<mailto:[hidden email]>
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.katipo.co.nz_mailman_listinfo_koha&d=DwQFaQ&c=RvBXVp2Kc-itN3g6r3sN0QK_zL4whPpndVxj8-bJ04M&r=vKh6XwOmjyC51IkP1OfsdjQZoWT2vpi6VZl8El8EPRI&m=SedjTjhSL5u6Lty5N79OwD0gVFpS6ppqwP7WxBNpWsk&s=CaEmiYGSdFyzf-BVqAELoVXRgMppqvE1yxjTTZvLOMQ&e=>

_______________________________________________

Koha mailing list  http://koha-community.org
[hidden email]
Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha